Skip to content

Validate receipt signature with OpenSSL, using a custom date #16

New issue
New issue
Open
Open
Validate receipt signature with OpenSSL, using a custom date#16
Labels
help wanted
@streeter

Description

@streeter
streeter
opened on Nov 13, 2015

So today, a receipt that Apple uses to sign receipts expired. We can see this if we run the following:

~ openssl pkcs7 -inform der -in 34612809.bin -print_certs -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            18:59:43:21:72:74:9c:fc
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority
        Validity
            Not Before: Nov 11 21:58:01 2010 GMT
            Not After : Nov 11 21:58:01 2015 GMT
        Subject: CN=Mac App Store Receipt Signing, OU=Apple Worldwide Developer Relations, O=Apple Inc., C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:b6:93:c2:b7:0f:24:5e:ed:d2:34:48:e8:85:05:
                    e3:33:94:66:5b:e8:27:37:bf:7b:43:49:eb:f9:c9:
                    17:97:33:73:32:49:4a:c8:6f:68:29:14:b8:94:a6:
                    f4:65:4b:3b:47:d7:d1:2c:66:4b:b8:98:d9:bc:f5:
                    12:51:cb:e6:2f:a9:f4:b3:9f:1c:e8:28:fc:52:c0:
                    81:a2:cb:56:62:80:5a:a2:91:ae:4e:40:c3:7d:28:
                    2e:d7:d3:ed:4d:d9:ad:8a:fb:f2:67:48:ec:eb:79:
                    bd:02:6d:04:59:18:ff:8c:37:9f:8a:37:f1:62:ff:
                    bb:a2:03:50:87:0a:d5:92:e0:86:11:5e:23:46:f5:
                    e1:25:63:2b:a2:6a:8c:b2:10:b7:91:23:4d:9a:3f:
                    83:40:f2:64:09:5a:f7:8d:ae:56:5c:d4:f5:b4:6e:
                    03:1b:04:5d:2c:1b:af:00:99:17:d7:a5:fb:49:91:
                    ce:e2:a1:11:31:5e:19:01:c0:da:ce:50:83:5e:c8:
                    eb:49:3b:49:1a:2a:ea:e0:9f:bf:d2:46:49:9c:d8:
                    ab:a1:83:61:6c:0f:c1:fc:b3:ad:99:75:2a:fc:23:
                    9b:ef:22:08:eb:7b:59:14:11:9f:73:34:2d:e6:b9:
                    39:a6:3b:f7:e6:3e:ec:ca:a6:fb:ab:af:26:df:8f:
                    88:81
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
...

There are two other certs in the chain after the first one. However, the first one has the line Not After : Nov 11 21:58:01 2015 GMT, which makes all receipts signed with that cert bad. So if we check the receipt's signature locally, we will get that the receipt is expired.

What would be great, would be to have a way to verify the receipt with a given date. I have no idea if that is possible. For now, local verification with OpenSSL should be considered broken.

2b67fc4 moves the bundle and device verification later, and validates the response from Apple.

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wanted

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions